Leaving data privacy up to individuals or social media companies is bound to fail

The General Data Protection Regulation (GDPR) set off an international email tsunami as companies scrambled to comply with the recent overhaul of the European Union’s digital privacy laws. The regulation, passed in 2016, requires any company doing business with EU citizens to adhere to enhanced data privacy guidelines or face legal action.

But just days into implementation, GDPR is facing major challenges. Non-compliance suits against Facebook and Google were filed on the same day the law went into effect.

Other media outlets, rather than comply, simply blocked access by EU citizens.

At the heart of the GDPR is a much larger debate around data, its ownership and the mechanisms of the contemporary internet. For technology companies, the value of data is paramount.

Facebook, as one prominent example, has shown a clear reticence to change how it obtains and uses data from its users despite recent appearances in front of lawmakers in the US and EU by the company’s CEO Mark Zuckerberg. As such, data breaches on the scale of Cambridge Analytica are bound to recur.

The GDPR is one attempt to streamline the data collection process and give users more awareness about how their data is used and collected. Given their history of invasive surveillance (think about East Germany’s Stasi here), the Europeans have a low tolerance for external parties recording their behaviour online.

Yet, government regulation alone is not enough to prevent companies from recklessly collecting data or stopping individuals from willingly handing over their personal for free internet services like Facebook.

The way the UAE handles data and broader education about the internet is instructive here. While the country’s data policies are restrictive, it is building a knowledge economy and has some of the highest per capita internet penetration in the Middle East.

Tight restriction doesn’t always translate to personal data protection or even a safe internet. In spite of the nation’s progressive rhetoric on digital transformation, services such as Skype or FaceTime are regularly blocked.

The restrictions don’t translate to safety nor a deeper awareness around the danger of too much data sharing on the internet. UAE residents lost Dh4 billion to cyber attacks in 2017, according to an annual report by Norton Securities. The Telecommunications Regulatory Authority (TRA) deflected 155 cyber attacks in the first four months of this year.

The other alternative — quitting the internet entirely — is ludicrous and borderline impossible.

Data privacy and protection can only stem from individual awareness of the dangers of oversharing. But individual behaviours are notoriously difficult to influence, and we will cheerfully hand over our mother’s maiden name for one more hit from the Facebook News Feed.

As with any public crisis, a two-pronged regulatory and education approach will have the highest chance of success. Similar to the anti-smoking and anti-drug campaigns in the US, governments should encourage data awareness campaigns in order to establish genuine protection for individual internet users.

In the 1990s, while the major tobacco companies and the US government readied for a showdown, a nationwide awareness campaign took root that fundamentally shifted attitudes toward cigarette smoking among America’s youth. Anti-smoking posters became ubiquitous in doctor’s offices and high school cafeterias.

Teachers introduced anti-smoking instruction to grade school curricula. Today, just 8 per cent of American teenagers report smoking cigarettes at least once a month, compared to 27 per cent in 1991. Twenty years after the last stand of the Marlboro Man, a majority of American high schoolers say smoking is gross.

The decline of cigarette smoking in the US has been a decades-long effort, requiring investment and collaboration across all sectors of society — including the grudging support of tobacco companies themselves. The battle for responsible data use will be equally hard-fought, and no less essential to our long-term well-being.

Backed by a forward-looking government with a strong track record of public-private partnerships, the UAE is well positioned to pioneer a data-awareness programme that will ultimately benefit individual well-being, and with its diverse population, serve as a test bed for similar initiatives across the globe.

Federal and emirate-level entities, such as the TRA and the Dubai Data initiative — who already have a mandate to conduct trainings and provide public education opportunities — could collaborate with local business leaders and schoolteachers to design a multi-pronged programme to create a meaningful shift in individual awareness and agency over personal data privacy, without blunting the positive benefits of data for society.

The impact of data on society will only continue to grow in the years and decades to come. Whether our data will help us or harm is a choice that ultimately rests with the individual.

But as a society, we have the opportunity to come together today to raise awareness to give ourselves the best prospect for a positive future. We might not get another chance.